K. Brian Kelley - Databases, Infrastructure, and Security : Windows Workstation

New Community Resource for IT Pros - Server Fault

K. Brian Kelley — Fri, 01 May 2009 13:59:00 GMT

Not too long ago the developer community got a fantastic resource called Stack Overflow. It's a question and answer site, so it's like forums, only it's not. The interface is well done, finding questions to answer is easy because of the tag system, and the site has in place a capability to give people who are active more and more capabilities to help manage the site. It's a really neat idea. The issue with Stack Overflow is it is development-centric and by design. So the powers over Stack Overflow have created a sister site called Server Fault which is for IT professionals - Same interface, same tags, and same increasing ability to help be responsible for the community site.

Now Server Fault is currently in "private" beta, but that should last only a week or two based on the post about Server Fault in the Stack Overflow blog. If you've been somewhat active on Stack Overflow, check out that blog post, because it tells you how you can get active on Server Fault right now. It is actively being used. If you don't meet the criteria, don't worry, one or two weeks go by fast.

Does this replace technology centric sites like SQL Server Central? Not really, it's just another resource. The great thing about SQL Server Central is it covers all things SQL Server. So there are a lot of great SQL Server pros at SSC and at SSC you don't have to worry about going to a different site if you have a programming question or a system administration/SQL Server administration type of question. SSC covers it all with respect to SQL Server. And you'll see a lot of us on both sites. I'm a bit more active on Server Fault right now only because I'm trying to stay ahead of Brent Ozar on reputation and to get a chance to answer some questions there. Brent is a question hawk who will snatch out your prey right from under you! If you post there on a subject related to SQL Server, SANs, or virtualization, do it quick and do it thorough, lest Brent swoop down from on high! Okay, I'm kidding about that. When he's on, he's just trying to help, just like the rest of us, and he has a very great in-depth knowledge of multiple technologies. He also helps support the actual Stack Overflow site as their DB performance expert.

Microsoft Solution Accelerators on TechNet

K. Brian Kelley — Thu, 15 Jan 2009 19:49:00 GMT

I was browsing through the new titles that are on Safari and saw some planning guides around Windows Server 2008 (Active Directory Services, File Services, etc.). Of course, all of these are published as solution accelerators, because they are designed to assist IT professionals understand, plan, and implement solutions quicker (hence the term, solution accelerator). Some of these documents have been around for a while, but the Solution Accelerators section groups them all into one place. If you've not run across them before, you can find them here:

Microsoft TechNet : Microsoft Solution Accelerators

Among them are the Infrastructure Planning and Design Guides. There's guidance on Windows Server 2008, virtualization, and even IIS. But unfortunately, none out there yet for SQL Server. If you're looking on the security side, there are the OS security guides from Windows XP on up, including for Vista and 2008. Sorry, no Windows 7 yet.

Whitepaper on Malware to Attack Databases

K. Brian Kelley — Fri, 23 Nov 2007 09:01:00 GMT

Cesar Cerrudo of Argeniss Information Security has put out a new whitepaper (.pdf format), Data0: Next generation malware for stealing databases, describing how malware could be crafted to steal information out of databases. For the most part, it stays at a high-level, however, Cesar does give a few example queries (for SQL Server), the appropriate API calls to perform certain operations, etc., which delve a bit more into the technical side, but even these are fairly straight-forward. To demonstrate what he talks about in the whitepaper, he built a simple proof of concept (PoC), but based on what's in the whitepaper (and what is generally accepted as what's possible), nothing seemed outlandish or hard-to-do. Just for those worried about that PoC being out in the wild, Cesar states in the whitepaper he's not going to put it out for public consumption because he knows it'll be used for evil.

Which brings us to how the malware attacks. The typical anatomy for an attack is something similar to:

Discovery
Exploitation
Escalate Privileges (if necessary)
Cover Tracks

Since we're dealing with malware, the attack methods are well known. Keeping malware out of the corporate environment, especially considering most of the techniques for detecting malware are signature based, such as antivirus, is difficult. When users run as local administrators, all it takes is one person clicking on an email that sends that person to a website which exploits an Internet Explorer, Firefox, Microsoft Office, etc., vulnerability to download and install the malware. If the malware is new, there isn't a signature for it. Therefore, it'll likely pass through the scans.

But what about the web site and web filtering software used by the organization? Well, if the site hasn't been categorized yet, it really depends on how the web filtering software is configured to handle such sites (if such an option exists). Some web filtering products have heuristic engines which try to analyze the content to determine if it's objectionable or not. Some engines can scan words, others also have the capability to look at images, and the engine in question generates a score. Depending on the score, the page does or does not get displayed. (I'm greatly simplifying the process, but you get the idea.) So if you're building a page that hosts said malware, you ensure it says all the right things to look legitimate for business. In fact, it may very well be a copy of another business page because the only thing you're interested in is deploying the malware. If it has been categorized, there have been known exploits of well-known organizations, such as educational facilities and even Yahoo! in recent days. That means playing a catch up game before the individual page is categorized. So in other words, getting the malware deployed typically isn't the problem.

Therefore, Cesar concentrates on the malware itself. The pattern it follows is the following:

Discover
Attack
Transmit the Data Back
Cover Its Tracks (if necessary)

Discovery is where it locates database sources. The two most obvious, and most stealthy, is to check the ODBC DSNs on the local system and to look into existing processes to look for outbound connections to well-known ports (such as tcp/1433 for SQL Server). If necessary the malware could get substantially more noisy by doing a network scan (again, for well-known ports) or outright sniffing the network (but switched networks makes this extremely problematic and if you try to overcome this, it will be VERY noisy).

Once the targets are identified, the next step is to attack the servers. Connections, like to SQL Server, which use Windows authentication are trivial. Otherwise, it might have to resort to brute force. Brute force, in and of itself, can be noisy (depends on whether or not you are auditing failed login attempts). And once it gets in, it can check replication settings, linked servers, etc., to locate further targets, which adds to the discovery process. However, once it's in, it'll need to scan for interesting information, and this usually means looking at metadata for table and column names. Once something of interest is found, it's all about extracting the data.

After it has some data, it needs to get it off-site. Again, if you can get a site up where malware can be grabbed, getting back out isn't that difficult, either. Even if an organization is doing egress filtering, they still allow out HTTP and HTTPS. As long as the web site passes the filters, all is well. And the data is in the hands of a malicious individual or organization.

Afterwards, if necessary, the malware can cover its tracks by removing itself. This may be a good idea to make getting samples of the malware more difficult, thereby impeding a security company's ability to generate signatures on said malware.

If it is really this easy, how do you prevent this from happening? Several things make the malware's job more difficult. Some of them I've taked about how to get around, but they should still be in place.

Network Layer:

Up-to-date web filtering software
Firewalls with egress filtering on the perimeter
Firewalls in front of the database servers controlling access to them
Network switches (although it is nearly impossible to find an actual hub nowadays, this still needs to be looked at, especially in smaller organizations with old equipment)
Network configuration on firewalls and switches to block udp/1434 (SQL Server Listener Service)
Use of network-based Intrusion Detection/Prevention System (NIDS/NIPS, or just IDS/IPS)

Client Workstation Layer:

Personal firewalls on systems
Up-to-date anti-malware software
Up-to-date on system and application patches
User running with less than administrator privileges
Use of Host-based Intrusion Prevention system (HIPS)

Server Layer:

Use IPSEC Policies (Windows) to restrict IP addresses which can connect to the database system
Use IPSEC Polcicies to block the SQL Server Listener Service (udp/1434)
Use IPSEC Policies to encrypt the traffic and to require authentication to make the connection to the database system
Up-to-date on system patches

Database System Layer:

Up-to-date on database system patches
Use non-standard ports (stay away from tcp/1433 for SQL Server and tcp/3306 for MySQL) - Hampers or prevents discovery
Users running with minimal permissions - restricts access to data
Data encryption (SQL Server 2005) on those interesting columns - simply querying the tables won't get sensitive data
Audit failed login attempts (SQL Server) - "Noise" that may allow for detection of a brute force attempt
Enforce Password Policies (SQL Server 2005) - Reduces likelihood of success of a brute force attack
Locking down users by IP, where possible (MySQL) - If the end user doesn't need to access

Notice I said more difficult, not impossible. A knowledgeable attacker, with a real desire to break into a system, will find a way to do so. The goal is to make it as difficult as possible while still being reasonable in budget and in functionality for the organization. An attacker who isn't specifically going after a certain company (such as what happened to Valve for Half Life 2) will likely move on to a much easier target.

Technorati Tags: DATABASE | SQL | T-SQL| SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | MySQL | Security | Database Security | SQL Server Security

Tool: KeePass Password Safe password manager/vault

K. Brian Kelley — Wed, 31 Oct 2007 12:00:00 GMT

Some time ago I was looking for a password vault and came across some recommendations for KeePass. KeePass is open source and free. It's a nice password manager and some of the features I like are:

Strong encryption of the password database
The ability to use a password, key file, or the combination of the two to secure access to said password database
A password generator with a multitude of options
The ability to copy the password to the clipboard (without ever showing it) and have it clear the password after a set amount of time
Organize password entries by groups and subgroups (think folders)

A new version, 1.09, released in October. There is also a Portable Apps version which allows you to run it without installation. Therefore, you can stick on a USB drive and take it with you. I've also run it as a straight executable from a shared network drive.

Looking at it from a shared location, KeePass can be used by an organization to store sensitive logins, such as the root password for MySQL, the sa account password, the usernames and passwords for the SQL Server service accounts, etc. In fact, in version 1.09, if the password database is opened by another user, it's smart enough to tell the next person opening it the situation and asking if that user wants to open the database in read-only or normal mode. One way to handle this is to distribute the key file to all admins and as long as they have that, they can unlock the password database. If someone leaves the organization who had access to the password database, generate a new key and re-distribute it, and you're back in business, even if they copied the key file. Granted, the fact that the password entries stored within will have to be addressed, but this is a problem regardless of your password vault solution (or lack thereof).

Technorati Tags: Security | Database Security | Network Security | Windows Security | SQL Server Security | Work

Structuring the Blog Better

K. Brian Kelley — Mon, 29 Oct 2007 02:59:00 GMT

For a variety reasons, including personal/family concerns and workload, I've not been able to write as often as I'd like. That doesn't just include the blog, but also writing articles. It's been a long while since I've written an article for SSC. I want to get back to writing at least monthly, if not more often. One of the keys to writing well is to write every day. Therefore, I'm going to provide some structure to the blog in order to make it easier to post every weekday with something that will hopefully be useful. Here's the types of posts that should be present based on the day of the week:

Monday - Career Development
Tuesday - Tips, Tricks, and SQL Scripts
Wednesday - Tools, Tools, and More Tools
Thursday - Tips, Tricks, and SQL Scripts
Friday - Notable Resources (Blogs, Articles, Books, Podcasts)

Volunteering

K. Brian Kelley — Tue, 22 May 2007 04:07:00 GMT

I've spent my spare time the last few weekends helping a non-profit called Fast Forward here in the Columbia, SC area. I don't post this here to blow my own horn but rather to point out the need many non-profit organizations have for quality IT support. Most non-profits operate on a limited budget meaning they take help where they can get it. Often times there just isn't money left in the budget for a services contract, etc., even for an organization like Fast Forward.

This is where knowledgeable folks can really make a difference. I know the usual excuse: after spending all week looking at a computer screen, the last thing anyone wants to do is spend the weekend working on computers. I've been there, so I understand that feeling completely. However, I have to say that the time I've spent working at Fast Forward has been personally rewarding. There's a sense of accomplishment knowing I've put my skills to work helping others, with no expectation of any tangible reward.

This isn't to say that there isn't some career benefit. I've read the myriad of blogs/books/articles which say volunteering at non-profits is a great way to build up skills you would like to develop. That's a true potential benefit. However, what if you're re-using the skills you've already developed? I work on servers every day. So helping out with servers and/or workstations isn't an expansion on my skill set. Fast Forward isn't likely to go and use SQL Server and experiment with Longhorn server or check out the latest features of MySQL. What's the personal gain? To that I point back to the "making a difference" reason. Sometimes it's gotta be more than just about ourselves.

Technorati Tags: Life | Work| Volunteering

Thoughts from The Cuckoo's Egg

K. Brian Kelley — Fri, 06 Apr 2007 19:33:00 GMT

The Cuckoo's Egg by Clifford Stoll has been around for a while, having been published in 1989. It details how a system administrator (a trained astronomer who had to find something else to do) tracked a malicious hacker through his system and numerous others including defense contractors and unclassified DoD systems. It's one of those books a lot of folks who work security say should be read if you're in the field. When I was a cadet at The Citadel, one of the other guys in my company was reading it and said it was a good thriller of a book. I meant to borrow it from him and never did. Then I meant to read it for some time but every time I thought about it, I would subsequently forget to go look for it or check it out from the library. Well, I finally did read it and found that my friend's assessment was a good one. I think my wife would agree as she swiped it away from me before I was done and finished it first.

As I went through the book I watched for security principles in play and what was true in 1989 in large part holds true today. Some of the things that were revealed as Mr. Stoll went through his meticulous process of tracking the intruder who was working for the KGB:

Honeypots are effective to attract an attacker and learn about his or her methods. In the book Stoll's roommate comes up with an idea to place what look to be classified documents on a military defense system on one of the servers and to keep it updated so as to look like a regular project that is progressing. This is ultimately how they get the attacker to stay connected long enough to trace him. Honeypots are used today to attract attacks, especially automated ones, so we can analyze them and learn to defend against them.
Dictionary based passwords don't work. The attacker in the tale kept grabbing the password file from the servers he was attacking. Stoll at first couldn't figure out why because the passwords were encrypted with a one way function which meant if you had the actual password it was easy to get the encrypted hash, but the opposite, where you have the hash and want to get the actual password wasn't true. However, the algorithm used to encrypt the passwords was well know. So if you calculate all the hashes for a set of words, you can compare the hashes and figure out what the passwords are. BTW, this is an issue with Windows passwords. Do a search for rainbow tables and you'll find several sites that have rainbow tables for Windows-based passwords.
Just because you can't see the monitoring devices doesn't mean you aren't being watched. Stoll put a line printer before the server itself, meaning he got an output of everything that was going back and forth on the line. this allowed him to watch the attacker as he came and went. Nothing was running on the server itself. This is analogous to two things in today's world: sniffers and rootkits. Sniffers watch the wire and from the server you can't tell you're being watched. This is why encrypting sensitive data across untrusted lines is important. Rootkits are running at a level where they can intercept any calls you make to try and detect them. That's why there was so much concern over rootkits (and still is).
When doing forensics work, keep a log. This is a no-brainer. Log everything you do, who you speak to, every step. Time and time again Stoll went back to his log. Because he had it, he was able to connect a lot about the attacker's behavior, prove he had informed the right people of what happened, etc. This is actually a good rule for troubleshooting. Log everything you do because you (a) want to be able to undo anything that didn't work and (b) you want to know how exactly you fixed a problem.
Don't assume your system has no value. Stoll's system didn't have classfied secrets on it. But it did represent a jumping off point to attack other systems. Frequently I have conversations with folks about securing development servers. To the attacker, a development server may be just as valuable as a production server. If a system is on your production network, it needs to be secured.
Don't assume you are secure. Stoll found several folks who assumed their systems were secured. The evidence showed otherwise. Paranoia is good in the security field. Let me rephrase that... controlled and focused paranoia is good.
Check your logs frequently and investigate inconsistencies. Stoll stumbled onto the hacker because of a 75 cent accounting error. That's what started the whole trace. The better an attacker is, the less likely he or she is to leave clues. Therefore, even the smallest details are important.
Change default accounts and passwords. The attacker kept breaking into systems because administrators had left default accounts and passwords active. Blank passwords, passwords of password (or some derivative), and default passwords are all bad. If an attacker is knowledgeable of the defaults and we leave them active, we've opened the door. It was amazing how many systems the attacker got into using this simple method.

Technorati Tags: Security | Database Security | Network Security | Windows Security | SQL Server Security

Daylight Saving Time and SQL Server

K. Brian Kelley — Wed, 14 Feb 2007 03:54:00 GMT

If you're in the United States, chances are you've already heard about Daylight Saving Time (DST) occurring 3 weeks early this year. This is due to the Energy Policy Act of 2005, so it's not new news, but a lot of systems and applications are only now getting the updates. The Energy Policy Act of 2005 changes DST to start on the 2nd Sunday in March instead of the first Sunday in April. In addition, it now lasts one week longer, ending the first Sunday of November instead of the last Sunday in October. For this year that means DST starts on March 11.

For the most part SQL Server isn't affected. The only SQL Server component which is happens to be Notification Services. You can find information on how to update Notification Services here:

2007 time zone update for SQL Server 2005 Notification Services and for SQL Server 2000 Notification Services (931815)

Though most SQL Server components aren't affected, the operating system on which SQL Server is installed does need to be updated (with the exception of Vista). For Windows XP and 2003 there is a patch available. You can grab the update for these operating systems here:

February 2007 cumulative time zone update for Microsoft Windows operating systems (931836)

Windows 2000, since it has passed into Extended support, does not have a publically available update. As a result, these systems must be updated by making modification to the registry. More information can be found here:

How to configure daylight saving time for the United States in 2007 (914387)

Do note that if you have Outlook on the system (such as on a workstation), there are updates to Outlook which must follow almost immediately. Outlook isn't the only Microsoft based application to be affected. To find out more information on what Microsoft applications are impacted, see here:

Microsoft Daylight Saving Time Help and Support Center

Technorati Tags: Daylight Saving Time | SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | Windows 2000 | Windows 2003 | Windows XP

New Review: NGS Software's Typhon III

K. Brian Kelley — Fri, 26 Jan 2007 04:59:00 GMT

I recently had the opportunity to review NGS Software's updated Typhon III general vulnerability scanner. I had previously reviewed it two years ago and was impressed with the product then. The updated version has some nice, new features. You can read my review here: A Review of Typhon III. It'll hit the main page of SQLServerCentral.com on Feburary 5, 2007.

Technorati Tags: DATABASE | SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | MySQL | Security | Database Security | Network Security | Windows Security

Adding value to our organizations

K. Brian Kelley — Wed, 10 Jan 2007 01:38:00 GMT

Sean McCown writes in the latest Database Underground about how DBAs should try and make things better for users of an organization. I think Sean hits upon an important point not just for DBAs but for all IT workers. Too often IT is seen as a cost center, an impediment, as something as necessary for an organization but not necessarily glorified or appreciated. As technicians we may find ourselves amazed at how the business people don't see value in what we do, we may groan and complain about they don't understand how hard we work or we may think they don't care. From the business perspective, though, it's hard to understand why it takes so much to do some of the things we do. But then again, we sometimes marvel at some of the things the business folks do and we shake our heads and say, "I don't get it." However, they do and it is their turn to wonder why we don't understand how hard they work and wonder why we don't care.

Responsible IT workers seek to make a positive difference for the company beyond their "day jobs." It may not be helping automate a user's spreadsheet, after all, some system administrators may not have much expertise on the latest business software, but there is certainly something every IT worker can do to add value to the organization. A similar point was made by Vanessa Williams in her blog, fridgebuzz. In a recent post titled The Long Tail of Web Services she talks about how Amazon.com occasionally gets recognition for some of its initiatives which don't seem to have any relation to its core business. Google is the new "hot company" but just like Amazon.com, Google is investing heavily in its infrastructure. However, while Google has incredible expertise, they aren't utilizing it as a profit center.

For Amazon.com, the model is already built. Amazon.com invested heavily in its infrastructure. Now it's seeking to use those investments to allow third-party vendors to partner and piggy-back on the great work its personnel have accomplished. Ultimately, that means a greater and more stable source of revenue for Amazon.com beyond selling warehouses full of books, CD, and DVDs. But for Amazon.com to be positioned to have such a strong infrastructure, that means someone in IT had to think beyond "web store." Then someone had to consider what to do with all that infrastructure and how to make money for Amazon.com. That's adding value, something we can all do. And when we start doing this enough, the organization will see IT as an asset and a wise investment rather than as "overhead."

Technorati Tags: Life | Work | Information Technology | Adding Value

Shared Items on Google Reader

K. Brian Kelley — Sat, 06 Jan 2007 17:05:00 GMT

I read through a lot of blogs each day in a variety of technology categories. I've always fashioned myself as a jack-of-all-trades and that helps me a great deal with my current position. However, it does mean consuming a lot of feeds to try and stay up in all the areas I have a profound interest in. Here are my shared feeds on share.opml.org.

Google Reader has a nice feature where I can share items I find interesting. There are a ton of good blog posts each day, so I've started marking them to be shared. There are two ways to view these shared items: one is the web page and the other is through the RSS feed.

Technorati Tags: Google Reader | Blogging | Sharing Feeds | RSS | OPML | Reading List

Jason Haley recently began posting his interesting finds again

K. Brian Kelley — Sat, 09 Dec 2006 16:40:00 GMT

Jason Haley used to post his Interesting Finds about every day, if not multiple times a day. The interesting finds were a collection of blog posts and other links he had come across from his various RSS feeds which is put together for others who were interested in the same sorts of things he was (Microsoft development topics, Boston happenings, and after his move to Seattle, Seattle happenings, career development articles, etc.). He took a break for several week, but it's nice to see that he's begun posting them again, starting back around Thanskgiving.

Here's his RSS feed for those who might be interested: JasonHaley.com blog feed.

Technorati Tags: Microsoft | Programming | DATABASE | SQL | T-SQL | SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | Life | Work

Windows 2000 Resource Kit Tools Available

K. Brian Kelley — Sat, 09 Dec 2006 16:21:00 GMT

If you're like me and rely a lot on the resource kit tools, you may have found that it's relatively easy to find the Windows Server 2003 Resource Kit tools in searches on the Microsoft site. However, if you still have Windows 2000 computers (including Windows 2000 Active Directory domain controllers), some of the tools re-written for Windows Server 2003 may not work properly on Windows 2000 systems. Microsoft has put together a Knowledge Base article which includes all of the commonly used administrative tools in one place:

Windows 2000 Resource Kit Tools for Administrative Tasks (927229)

Technorati Tags: Microsoft | Windows 2000 | Active Directory

SysInternals Tools Updated

K. Brian Kelley — Sat, 09 Dec 2006 16:02:00 GMT

Several SysInternals Tools have been updated. One of the big updates was to the PSTools Suite - now you can pass the EULA acceptance in a command line format. When the tools first appeared on the Microsoft TechNet site, there was a GUI-based EULA that popped up when the tool was run. This broke any scripts which relied on the tools.. A new download is all of the SysInternals Tools wrapped into a single download: SysInternals Suite. This is great because now all the tools can be downloaded and extracted at one time into a directory where before there were a lot of little individual downloads. Even better, if the PATH variable is set to include that directory, they can be run from the command line no matter what directory you happen to be in. For command-line tool junkies like me, this is essential.

Technorati Tags: Microsoft | Windows 2000 | Windows 2003 | Windows XP | Windows Vista

Excellent post on encryption

K. Brian Kelley — Fri, 01 Dec 2006 14:53:00 GMT

Laurentiu Cristofor has an excellent blog post, Who needs encryption?, which presents some point blank facts about encryption and the correlations you can draw from those facts. This post isn't a SQL Server or even a database specific post. It's about encryption in general.

I love his Fact #1: Encryption does not eliminate the need to protect some data. I was recently talking with some peers about whole disk encryption technologies. The idea behind whole disk encryption technologies is if someone were able to steal the hard drive (such as by taking a laptop), as long as the hard drive was powered off, by powering it on they wouldn't immediately get access to to the data. They would have to decrypt the hard drive. Well, there's two ways to go about this. You can either try and decrypt the whole hard drive, or you can try and decrypt the portion that stores the key to decrypt the whole hard drive. Any serious attacker is going to go after the latter because once you get it, you get the whole hard drive. And that's the point. You no longer are in the business of safeguarding all the data. The encryption does that for you with the exception of the key itself. You must safeguard it. The discussion with respect to whole disk encryption turned to wanting to make the encryption on the key weaker than on the rest of the drive because people were having to enter in too many combos of characters when they forgot their password and the admins needed to unlock the drive. My point was that whichever was weaker, that was the level to which the hard drive was effectively encrypted. Therefore, weaking the encryption algorithm on the key to make it easier for customer support reps and end users to being able to unlock the hard drive in the case of a forgotten password wasn't a good idea.

Fact #4 is a sticking point for me, too. When developers who aren't very knowledgeable on encryption say, "Hey, I'll just build an encryption algorithm because I don't feel like using one of these others. How hard can it be?" that drives me crazy. A lot of developers understand that here laziness is the right approach. If it's a rock-solid algorithm that has undergone the scrutiny of the crypto community and survived, it's a good candidate. Just figure out how to implement it. Unless you have advanced degrees in mathematics and time in the field, it is extremely arrogant to think you can design an algorithm better than what's already out there. Granted, you might, but given some of the algorithms developed, you've wasted a lot more time doing so when you could have been doing other activities for your organization.

Technorati Tags: Security | Database Security | Network Security | Windows Security